Who Uses What — Burrow Personas

Burrow is built for four kinds of user. This page maps each one to the dashboard surfaces they spend most of their time in, so you can route the right people to the right starting point.

SOC analyst

Reads alerts, decides real vs noise, escalates the real ones, dismisses noise without losing the audit trail.

Daily flow:

1. Open the Burrow home page. Read the severity, disposition, and risk-band donuts plus the trend chart.
2. Open the Alerts page filtered to Critical and High.
3. For each alert: read the AI "why this matters" narrative and the deterministic evidence (counts, timestamps, sampled events, IPs, sites). Click into the entity to compare against the user's behavioural baseline.
4. For ambiguous cases, jump to Forage and pull the user's last 24 hours of activity for context.
5. Mark a disposition (real, not real, maybe). Add an entity exception for repeat false-positive accounts.

Primary surfaces: the Burrow home page, Alerts, Identities (and the identity dossier), Investigations, and the per-alert Chat panel inside each alert's drill drawer.

What this persona cares about: speed, signal-to-noise, evidence trustworthiness. Burrow favours brevity and accuracy over volume. The deterministic rules engine is always the source of truth; the AI narration is verified against it before anything reaches the analyst's screen.

Admin

Keeps the noise floor low without dropping real signal, manages who receives emails, owns the detection engine configuration.

Weekly flow:

1. Skim the weekly executive briefing emailed Monday morning.
2. Open the Suggestions panel at the top of the Rules page — Burrow proposes specific tuning changes based on which rules have been most-dismissed by the SOC.
3. Tune thresholds via the Rules page, or add user-pattern exceptions via the Exceptions page.
4. Periodically check the History page for the trail of admin changes — who tuned what, when, with before-and-after diffs.

Primary surfaces: Rules, Exceptions, Sensitive sites, Sensitive labels, Internal domains, Settings, and Rule replay.

What this persona cares about: confidence that tuning won't blind the SOC, the ability to undo any change, and an evidence trail for every config decision.

Auditor / compliance

Answers historical questions ("what did this user access in May before they left?") and produces defensible evidence for HR, legal, or external audit.

Investigation flow:

1. Open Forage. Type the entity and the date range.
2. If the requested window is older than the on-disk retention, expand the Cold Storage panel and rehydrate the relevant months from Azure Blob.
3. Once the rehydrate is READY, click Search this entity on the job row. Forage re-runs with the cold months now included.
4. Click CSV to download for HR or legal hand-off. The export preserves timestamps, IPs, user agents, and operation classes — full chain of custody.

Primary surfaces: Forage (and its Cold Storage panel), the weekly Briefing, the History page, and the Suppression journal viewer inside Settings — for proving what was filtered and why.

What this persona cares about: completeness (no silent gaps), exportability, chain of custody.

End user

Most end users never see Burrow directly. The cases where they do:

• An admin has added them to the alert recipient list (uncommon) so they receive alerts about their own activity.
• An incident escalation was emailed to a distribution list they're on.

There is no end-user self-service portal. End-user-facing content for Burrow is limited to "you received an email — here's what it means and who to contact internally". If you've landed on this article because of an email you received, contact your IT or SOC team and reference the alert's category and entity from the email body.

Next steps

• Quick tour of the dashboard — see each surface in context.
• Glossary — the Burrow vocabulary in one place.
• First-week onboarding checklist — the recommended reading order if you're new.

Need help? support@smikar.com.